Thang Dang Minh: Good student turned fraudster

Today, we would finally like to introduce the guy who is behind the Safabyte, ComponentForge, XtraComponents and ComponentSoft.net scam. His name is Đặng Minh Thắng, although he usually simplifies this to Thang Dang Ming or Thang Dang. Sometimes he calls himself Thang Minh, Hoang Minh or Jimmy Dang. He was born on June 9th, 1980, which means he just turned 30 today! Until recently, he might have lived or worked at 107 Phố Đức Giang in Long Biên district of Hanoi, the capital of Vietnam.

After finishing his studies at Hanoi - Amsterdam High School, a prestigious Vietnamese high school, he studied information technology at Hanoi University of Technology. In 2003, his team won the first prize at his university's Students Scientific Conference for an emedded system that controls car engines. After finishing his studies, he went on to work for various software companies located in Vietnam and abroad (such as FPT Software, one of the Vietnamese largest software companies).

At this point, Thang Dang was on his way to become a well-known and respected professional. Instead, he turned to the dark side of copyright infringement. In 2007, he launched his grand project: Safabyte, the fraudulent .NET component vendor - selling software based on code stolen from long-standing .NET component vendors such as Rebex, ComponentSpace, ComponentAce or LanapSoft. After changing his brand name and payment processor many times (once every few months recently), he still continues with this practice until this day under XtraComponents and ComponentSoft.net brands.

(You can find a photo of this Thang Dang here or here.)

We have been informed that he currently lives in the United States, possibly studying for an MBA at WKU and residing at the campus (College Heights Blvd 1806, Suite 201). This opens a wide range of opportunities! Perhaps studying law might have been a better choice for him after all? :-)

ComponentSoft.net - the scammer changed his brand. Again!

It looks like the con-artists behind Safabyte, ComponentForge decided that putting a new API on top of code stolen from Rebex (did than last time with XtraComponents) was not such a great idea after all. Instead, they decided to start over again with a new brand. In February, they launched a new website at CodeUltimate.com, but less than two months later, they finally settled on calling themselves ComponentSoft.net. They even got a brand-new website design this time. But the very stealthiness and secrecy they engage in is what revealed them again.

Let's look closer:

  • Their domain name was registered anonymously. This alone made them suspicious. Why would a reputable company do this? Unsurprisingly, he changed this to a fake name after reading this blogpost. Luckily, you can still check out componentsoft.net domain history in DomainTools - the entries in red were "privacy protected" (anonymous) registrations.
  • API of many of their components look just like Rebex API with renamed classes. Some parts were added, changed or removed, but the core functionality is the same. There are even some identical bugs!
  • They never reveal their real company name and address. When pressed through their transaction provider, they implicitly confirmed that they are not a US-registered company, yet fail to mention this on their website. Instead, they still present themselves as "ComponentSoft, a division of ATP, Inc., located in Walnut, California" while in fact they appear to be a division of "ATP Technology, JSC located in Hanoi, Vietnam".
  • Once again, they claim that "ATP, Inc. is a Microsoft Certified Partner", which is very unlikely because this "ATP, Inc." doesn't even seem to exist.
  • Their install package contains two sets of DLLs. One set infringes on Rebex IP, other set infringes on other people's IP. The installer decides which one to install. This doesn't look like something a reputable company would do, ever. He will undoubtedly get rid of the fake DLLs now, but his customers victims who have downloaded the package prior to publishing this blogpost can still verify this (contact us for details).
  • Many of their forum posts are from 2009. This is very suspicious, because the domain name was only registered in March (and the previous domain in January). In fact, these forum posts were simply recycled from the forums of their previous incarnations - unsurprisingly, they treat their customers' support request and nicknames just like other people's code. Their ComponentSoft News also extend back to 2009. No mention of any name change. But we understand - changing their name is no longer a news for them.
  • The testimonials at their website never mention anyone who could be contacted to verify them. In fact, many of these testimonials look copy&pasted from other companies' websites.
  • They pretend that completely unrelated website (with .eu instead of .net in the domain name)

Still not convinced? Then just use .NET Reflector to compare the assemblies. The code in the first picture was written by Rebex. It is a part of SshSession.SendPacket method. An identical code can be found in ComponentSoft's UltimateSftp.dll assembly (the second picture):

The scammer will undoubtedly modify the stolen version of SshSession.SendPacket as soon as he becomes aware of this post, but it doesn't really matter. Most of the code in a majority of his components comes from Rebex, so we can simply find another example. Just let us know if you need additional information to do your own analysis.

Kill switch found in ComponentForge/Safabyte components

Summary

We just learned that some versions of ComponentForge and Safabyte products include a "kill-switch" or "call-home"-code that occasionally calls a webservice at the vendor's website. This can be both security and reliability threat. Full version of NetXtremeFtp Suite was reported to contain this functionality. We are not sure yet whether their other components or XtraComponents products also suffer from this issue. Needless to say, there is no mention of this anywhere at the vendor's website or in their "privacy policy". But what else to expect from a fraudulent business entity that doesn't even tell you their address or owner name...

Symptoms

 

When using the purchased "full version" of NetXtremeFtp Suite sold under ComponentForge and Safabyte brands, you may experience the following SfbLicenseException error when ComponentForge or Safabyte websites are not operational:

{"The license key is invalid or has been deactivated. Please contact ComponentForge Sales Team at sales@componentforge.net."}

This exception is raised from a background thread that is started when the FtpClient object's constructor is called.

Complete stack trace:

at Cforge.Licensing.Ftp.SfbLicenseManager.ValidateLicenseThreadStart()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()


Analysis

 

NetXtreme component is trying to validate a license key at runtime by calling a webservice located at ComponentForge or SafaByte websites. The address of this webservice is http://www.componentforge.net/license.aspx?val=key or http://www.safabyte.com/license.aspx?val=key, where "key" is the "license key" you get when you purchase a "license" to these stolen components. The webservice returns a single byte: 1 if the key is valid and 0 if it isn't. This test is not done every time and it only occurs on 3rd, 6th, 9th, 12th, ... day of every month.

Validating license keys by calling a webservice at the vendor's website is a very bad practice because it makes the component completely unusable:
  • when disconnected from the Internet
  • when it runs behind a paranoid firewall
  • when the vendor's website is being rebooted, in maintenance or just inaccessible
  • when Safabyte/ComponentForge goes out of business (which can happen overnight)

On December 3rd, 2009, some versions of NetXtreme FTP Suite stopped working when both ComponentForge and SafaByte websites were down temporarily. This behavior was only observed in the purchased copies of the components.

It is quite amusing that a Vietnamese software pirate is so concerned about other people pirating his software that he has chosen to offer this crippled version as the "full version" of his product.

Kill switch

This "feature" makes it possible for the vendor to:

  • render any "full version" of the software useless by disabling its license key in their database
  • cause a forced upgrade without the customers agreement (by switching off old license keys)
Even well-known companies have been criticized for including kill switches in their products. Because ComponentForge/Safabyte/XtraComponents “company” is actually a scam, this is yet another reason to stop using their products immediately. Essentially, all their clients are at the mercy of a software pirate.

Possible security threat?

It is always worrying when a component connects to a webservice at the vendor’s website, and even more so if it was made by a fraudulent entity. For example, it would be extremely easy to "enhance" this to steal their client's passwords as well. Although this doesn't seem to be the case at the moment, the infrastructure is there.

Also, calling a webservice at the vendor's website means that he knows IP addresses of all his clients, which in itself can be a security thread.

Solution

Considering that all Safabyte/ComponentForge/XtraComponents products mentioned in this article are illegally based on source code owned by Rebex and other vendors, all customers are advised to cease using them and to replace them with legitimate products by reputable companies, preferrably those that don't call any questinable webservices behind their back.

Credits 

Big thanks goes to Max, former ComponentForge/Safabyte client, for bringing this issue to our attention!

 

Surprise for XtraComponents

Earlier this week, one of the "easter eggs" we placed in the builds of DLLs downloaded and reverse-engineered by XtraComponents/ComponentForge became active and some of their products started reporting the following exception (error message):

    Key is weak (Application uses unlicensed code.
    Check http://rebex.net/infringement/ for info.).

We are sure that their "coders" are now busy searching the stolen code for other nasty surprises like this one – let's hope they'll enjoy it! But beware, date-based error messages might not necessarily be the only "improvements" they got from us ;-)

Some of their customers victims already contacted us. I guess XtraComponents have some explaining to do now.

In other news, we gave XtraComponents a wonderful opportunity last year to prove that their code was not stolen from us after they accused us of lying on a reputable third-party public forum (scroll down a bit) and their blog. Needless to say, instead of taking advantage of that opportunity, they did what they always do after they run out of arguments – they just stopped responding altogether. This kind of behavior actually supports our claim, doesn't it?

XtraComponents respond!

Even though the fake Mr. John Carban told us yesterday that he doesn't have to answer any of our questions, he later changed his mind and posted what he thinks were answers. Unfortunately, he filled the rest of his comment with his usual lies and nonsence, so we removed it. Instead, we reproduce his "answers" here.

Q: Can you prove that your company (XtraComponents) exists? We tried searching http://apps.sos.ky.gov/business/obdb/%28S%28pij3yiyqrrdsqr455rxjzda4%29%29/default.aspx but found no trace of it. Please explain.
A:. Our first XCs company is not in the US. We have an Offshore Business Office in the US.
Comment: He has not really proven anything, did he? He doesn't even have any real company info on his website.

Q: Can you prove that you are in fact a Microsoft Certified Partner, as you claim on your website?
A: It's our designers' mistakes. We are on the way to get these certificates.
Comment: Oh! So it was just an accident? Perhaps the fact that he stole our code is his developer's mistake then?

Q: The founders and owners of your company are nowhere to be found. Why? A linkedin.com profile would be nice. At least one that is older that a month.
A: It's not necessary to public his profile
Comment: He is right! Less people will buy his products if the founders are his best-kept secret :-)

Q: You claim to have a lot of corporate customers already. Can you prove that any of the companies featured at your website actually uses your software?
A: I can ask you the same question. Will you share your customer information with your competitor? It extremely violates our policy. Does itextremely violates your policy as well?
Comment: Actually, we have many customers who don't mind telling the world about us. Just check out our testimonials pages such as this. in comparison, Xtra's own testimonials page looks like something he just pulled out of his finger. But we are not surprised. A thief can't really publish the list of houses he has burgled, can he? ;-)

I still don't understand why we waste so much time with this guy thief. Perhaps because he is rather amusing?

Update: He responded again! I will spare you all his usual lies and insults and only repost his latest "answers":

Xtra: If someone curiously wanted to see, I would send him a scan copy of our legal business license. As I said our first XCs is not in the US, that why you could not find it at http://apps.sos.ky.gov/business/obdb/%28S%28pij3yiyqrrdsqr455rxjzda4%29%29/default.aspx
Rebex: Great! But why doesn't he publish this at his website, just like any real company? Oh, well...

Xtra: Not all CEOs have posted somethings on linkin. He is in this group.
Rebex: And some CEOs have choosen to steal other people's work and remain anonymous. He is also in this group.

Xtra: Check out our testimonials page. You can freely contact them.
Rebex: The people on his testimonials page seem to be pulled out of his finger. Why doesn't he just name one that exists to make it possible for his customers to contact him?

We don't see any reason to comment on the rest of his post. Empty threats like "If you delete this comment, 100% you are afraid of the truth." won't get him anywhere this time. There is no reason to preserve his further comments or prove anything any longer. He has already proven himself to be a questionable company by his "answers" to our question above.
He would simply use any proof we publish to "fix" his code and claim everything is alright. But we can prove this to anyone else who is interested - just contact us!

Introducing brand-new xtracomponents.com scam!

We just found out that ComponentForge simple change their name to XtraComponents(.com) and are back online doing their dirty business.  You might have noticed that their previous fraudulent websites - componentforge.com, safabyte.com and xtremeui.com - are no longer in a very good shape. In fact, they have been mostly non-functional for several weeks now. Are they running out of the money the stole already?

 

They registered their new domain name only six days ago and now they are offering stolen copies of Rebex FTP/SSL and Rebex SFTP for sale again. Interestingly, they don't have any other components in their portfolio yet. Why? Perhaps because it takes a lot of time to rename all the namespaces and classes – yes, they dropped their previous NetXtreme brand and call their offerings "Xtra FTP Pro Suite", "Xtra SFTP (SSH Secure FTP)", "Xtra FTP", "Xtra SCP" and "Xtra Proxy" now.

 

Earlier today, they started appearing in Google search:  * site:xtracomponents.com

 

Their new fake identity is John Carban. They even moved their virtual office from Nebraska to Kentucky! I am sure thay will be pretty disappointed tomorrow when they realize we already found out because it looks like lot of work and effort went into their latest name change. But they still didn't have enough time to redesign their website - if you were ComponentForge's or Safabyte's customer, I'm sure you will still recognize it.

 

Update 2009-12-16: XtraComponents just removed Microsoft Certified Partner logo from their website. See http://post.ly/FI3o

How to get rich fast (code monkey version)

How to get rich fast? If you are living in a country where copyright law is just for fun and you know how to write software, it's rather easy:

  1. Purchase a source code of some commercial software components.
  2. Rename all namespaces, methods, properties, etc.
  3. Throw away the samples and write new ones.
  4. Compile, repackage and sell as your own work.
  5. Profit!

This is exactly what a company (?) called ComponentForge or Safabyte did! Check out our website about ComponentForge/Safebyte scam if you are interested in details.

You'll soon find more posts about this case on this blog. More evidence, more traces, more about the people involved. Remember the book Cuckoo Egg book by Clifford Stoll about tracing a spy in a computer system which started at Berkeley campus back in eighties? Well, we probably won't find a Soviet agent here, but it can be interesting anyway. We already have some various traces to follow...

Would you like to know more?

Update (2009-10-16): They did it again, this time under XtraComponents brand!